Peter Braun My understanding is the oauth proxy sets the '_oauth_proxy' cookie after a successful oauth redirect flow to/from the openshift oauth endpoint.

The initial login page and redirect url are both served from the oauth proxy (which is the same host as when you eventually get through to the UPS admin ui), which allows it to set this cookie.

So there is a step where the oauth token is given/presented to the oauth proxy,
the oauth proxy validates that against openshift (serverside),
and then sets a session cookie in the resposne to the browser.

Here is where that session cookie is created https://github.com/openshift/oauth-proxy/blob/master/oauthproxy.go#L339-L348

This looks like where the token (or basic auth if used) is checked before setting a session cookie https://github.com/openshift/oauth-proxy/blob/master/oauthproxy.go#L762-L775